Tag: htaccess

Security, Tutorials, WordPress

Block WordPress REST API user enumeration without breaking the admin

| by admin | Leave a Comment on Block WordPress REST API user enumeration without breaking the admin
Close-up of JavaScript code showing ajaxTransport, encodeURIComponent, and readyState functions — typical view of REST API client code (photo: Markus Spiske / Pexels)

By default every WordPress install since 4.7 leaks usernames over a public, unauthenticated REST endpoint. Anyone — no login, no auth header, just a browser — can hit https://yoursite.com/wp-json/wp/v2/users and get a JSON array of every user the site considers …

Continue reading "Block WordPress REST API user enumeration without breaking the admin"
Security, Tutorials, WordPress

Block PHP execution in wp-content/uploads on OpenLiteSpeed: the right .htaccess snippet

| by admin | Leave a Comment on Block PHP execution in wp-content/uploads on OpenLiteSpeed: the right .htaccess snippet
Computer monitor displaying terminal output: system metrics, file listings, and kernel error messages — typical sysadmin view (photo: Tima Miroshnichenko)

wp-content/uploads/ is the most predictable target on a WordPress install. It’s writable by the web server (so any compromise that gets a file uploaded lands here), it’s almost never inspected by malware scanners with the same vigilance as wp-includes/, …

Continue reading "Block PHP execution in wp-content/uploads on OpenLiteSpeed: the right .htaccess snippet"